System and method for encrypting traffic on a network

ABSTRACT

According to embodiments of the present invention a system and method for encrypting traffic on a network is disclosed. Encrypted data is transmitted between a first network element and a second network element by: acquiring an encryption seed at the first network element, the encryption seed being substantially similar to a decryption seed at the second network element; generating at least one encryption key from the encryption seed; receiving data; encrypting the data using the encryption key to generate encrypted data; transmitting the encrypted data from the first network element to the second network element via a network; and updating the encryption seed at the first network element in response to an event trigger

FIELD OF THE INVENTION

This invention relates generally to communication networks and morespecifically to a system and method for encrypting data on a network.

BACKGROUND OF THE INVENTION

Transmission of data through a communications network has become acommonplace activity in modern life and business. Indeed transmission ofdata through communications networks such as the public internet, orother packet-based communications networks, has become an activity thatis a necessary part of most business structures, including transmissionof data from PC's and laptops as well as transmission of data frombusiness related network access devices such as customer serviceterminals and automated bank machines. Oftentimes the nature of the databeing transmitted through the communications network from these devicescan be of a sensitive nature, including business information, creditcard or debit card numbers, including passwords, as well as personalfinancial information and the like.

In general, sensitive data will be encrypted prior to transmissionthrough the communications network in a manner that is well known in theart: a pre-defined scheme is used to encrypt data at the originatingdevice using an encryption key. The data is transmitted to a destinationdevice where it is decrypted using a decryption key complementary to theencryption key. There are many methods for producing and exchanging thekeys which are well known to those of skill in the art. One suchencryption method is known as RSA, which is a public key encryptionsystem widely used in electronic commercial protocols as disclosed inU.S. Pat. No. 4,405,829 by Rivest et al. and hereby incorporated byreference herein.

Encryption of data is often used in combination with a “tunnel” througha communications network, such as a virtual private network (VPN) or apermanent virtual circuit (PVC). In particular a VPN “tunnel” providessecure transmission of data through the communications network byencapsulating one protocol or data transfer session inside another. In aVPN, the message to be sent from the originating device to thedestination device is encrypted at the originating device using anencryption scheme known by the destination device, for example an RSAencryption scheme. The encrypted message will include the data ofinterest, as well as data relevant to the transmission. Data relevant tothe transmission can include header information, etc.

The encrypted message is then transmitted to the destination device,using methods well known to those of skill in the art. The destinationdevice receives the message and subsequently decrypts it. Afterdecryption, it appears to the destination device as if the decryptedmessage was sent directly to the destination device through thecommunications network, without encryption, using the originaltransmission data.

In one such scheme for establishing a VPN, an encryption key generatorwithin a client at the originating location is provided with a seed. Theencryption key generator uses the seed to generate a first encryptionkey. This is passed to an encrypting client, which uses the firstencryption key to encrypt the data to be transmitted. A header is thenattached to the encrypted data and the encrypted data is transmitted tothe destination device, through the communication network, such as thepublic internet. The destination device has been pre-provisioned with adecryption key generator, as well as a seed complementary to the oneprovided to the encryption key generator; in general the encryption anddecryption seeds are the same seed. The decryption key generator usesthe seed to produce a first decryption key, complementary to the firstencryption key, which is passed to a decrypting client at thedestination, which in turn decrypts the encrypted data.

After a period of time, the first encryption key is passed to the inputof the encryption key generator, in essence to be used as a newencryption seed, to produce a second encryption key. Again, afteranother period of time has elapsed, the second encryption key is passedto the input of the encryption key generator to produce a thirdencryption key. This process continues during the entire encryptionsession as a means to discourage unauthorized users from discovering thecurrent encryption key and gaining access to the data. A similar processoccurs at the destination location to generate a complementarydecryption key each time a new encryption key is generated. Asynchronization step may occur at the beginning of this process orfurther be synchronized by a common clock or pre-synchronized clocks, toensure that the current decryption key is always complementary to thecurrent encryption key.

Generation of the seed for the encryption key generator and thedecryption key generator is crucial to this process. In the RSA schemereferred to previously, a user is provided with a seed generating devicewhich provides a seed to the user, which is entered into the encryptionkey generator to begin the cycle of key generation. Often, the user willalso enter a permanent password which is combined with the seed providedby the seed generating device to create a combined seed which is used tobegin the cycle of key generation. While the seed generating device isoften enabled to produce a seed periodically, for example every 60seconds, the user uses only one seed for the entire session. To ensurethat the generated decryption keys are complementary to the encryptionkeys, the decryption key generator must be provisioned with a seedgenerator synchronized with the user's seed generator, as well as theuser's permanent password.

A common problem associated with this scheme is that if a malicious userunderstands the algorithm for generating keys, and can learn theoriginal seed for the session, including the user's permanent password,used to generate the keys, or a key fed back into the key generator, itis possible to intercept the encrypted data on the communication networkand decrypt it, hence compromising the integrity of the encrypted data.Hence there is a risk that providing a single seed for a session may notbe adequate to fully protect the sensitive data in question. Inparticular, certain business institutions such as banks and brokeragesmay be particularly sensitive to the possibility of information beingcracked by a malicious user.

There remains a need therefore for an improved system and method forencrypting data on a network.

SUMMARY OF THE INVENTION

The invention addresses at least one of the above stated needs andmitigates at least one of the stated problems.

A first broad aspect of the present invention seeks to provide a methodfor transmitting encrypted data between a first network element and asecond network element. The first step of the method comprises acquiringan encryption seed at the first network element, the encryption seedbeing substantially similar to a decryption seed at the second networkelement. The second step of the method comprises generating at least oneencryption key from the encryption seed. The third step of the methodcomprises receiving data. The fourth step of the method comprisesencrypting the data using the encryption key to generate encrypted data.The fifth step of the method comprises transmitting the encrypted datafrom the first network element to the second network element via anetwork. The sixth step of the method comprises updating the encryptionseed at the first network element in response to an event trigger.

In some embodiments of the first broad aspect, the event triggercomprises a first event trigger, and the method further comprisesupdating the encryption seed in response to a second event trigger.Further in these embodiments a period between the first and second eventtriggers is less than the period required to derive one of theencryption seed and the at least one encryption key from the encrypteddata.

In some embodiments of the first broad aspect, the event trigger is thereceipt of an updated encryption seed.

A second broad aspect of the present invention seeks to provide a methodfor transmitting encrypted data between a first network element and asecond network element. The first step of the method comprises acquiringan encryption seed at the first network element, the encryption seedbeing substantially similar to a decryption seed at the second networkelement. The second step of the method comprises generating at least oneencryption key from the encryption seed. The third step of the methodcomprises receiving data. The fourth step of the method comprisesencrypting the data using said encryption key to generate encrypteddata. The fifth step of the method comprises transmitting the encrypteddata from the first network element to the second network element via anetwork. The sixth step of the method comprises updating the encryptionseed at the first network element in response to an event trigger.Further the acquiring an encryption seed at the first network element,and the updating the encryption seed at the first network element inresponse to an event trigger occurs during a single data session.

In some embodiments of the second broad aspect updating the encryptionseed at the first network element in response to an event triggercomprises acquiring an updated encryption seed.

A third broad aspect of the present invention seeks to provide a systemfor encrypting data for transmission from a computing apparatus to adestination network element via a network. The system includes anencryption seed generation apparatus enabled to: generate an encryptionseed, the encryption seed being substantially similar to a decryptionseed at the destination network element; transmit the encryption seed tothe computing apparatus; and generate an updated encryption seed andtransmit the updated encryption seed to the computing apparatus. Thesystem further includes a computing apparatus coupled to the network andthe encryption seed generation apparatus, the computing apparatusenabled to: receive an encryption seed; generate at least one encryptionkey from the encryption seed; receive data; encrypt the data using theencryption key to generate encrypted data; transmit the encrypted datafrom the computing apparatus to the destination network element via anetwork; and update the encryption seed with the updated encryption seedin response to an event trigger. Further in this embodiment, a periodbetween the receipt of the encryption seed and the updating theencryption seed is less than the period required to derive one of theencryption seed and the at least one encryption key from the encrypteddata.

In some embodiments of the third broad aspect the event trigger is thereceipt of an updated encryption seed.

In other embodiments of the third broad aspect the event trigger is thereceipt of a defined quantity of the data.

In further embodiments of the third broad aspect the event trigger isthe receipt of a signal from a synchronization entity, the entitycoupled to the network and the computing apparatus.

In some embodiments of the third broad aspect the event triggercomprises a first event trigger, wherein the system further comprisesupdating the encryption seed in response to a second event trigger.

In other embodiments of the third broad aspect the event trigger is thereceipt of an updated encryption seed.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the present invention are described with reference to thefollowing figures, in which:

FIG. 1 a is a block diagram illustrating a system for encrypting data ona network according to one embodiment of the present invention;

FIG. 1 b is a block diagram illustrating a system for encrypting data ona network according to one embodiment of the present invention;

FIG. 1 c is block diagram illustrating components of a router deployedin the system for encrypting data on a network according to oneembodiment of the present invention;

FIG. 2 is a flow chart depicting the steps performed to encrypt data ona network according to one embodiment of the present invention;

FIG. 3 is a flow chart depicting the steps performed to encrypt data ona network according to one embodiment of the present invention;

FIG. 4 is a block diagram illustrating a system for encrypting data on anetwork according to one embodiment of the present invention;

FIG. 5 is block diagram illustrating components of a router deployed inthe system for encrypting data on a network according to one embodimentof the present invention.

DETAILED DESCRIPTION OF THE PRESENT INVENTION

FIG. 1 a depicts a system 100 for encrypting data on a network accordingto an embodiment of the present invention. The system 100 comprises atleast one originating communications device 110 in communication with arouter 120, which is further in communication with a communicationsnetwork 130. The at least one originating communications device 110 maycomprise a computing device equipped with a processor, a memory and aninput/output interface (I/O). System 100 may include a plurality of Noriginating communications devices 110, labelled 110 a, 110 b, 110 _(N)in FIG. 1 a. Communications device 110 may include personal computersand the like, as well as other network access devices such as customerservice terminals, automated bank machines (ABMs) and the like.

In some embodiments, each communications device 110 is in wirelinecommunication with router 120, using cabling such as twisted pair orcoaxial cables and the like; in further embodiments one or morecommunications device 110 are in wireless communication with router 120.In embodiments where wireless communication is employed, bothcommunication device 110 and router 120 communicate wirelessly usingprotocols such as Wi-Fi, WiMax and the like. Further, suitableencryption schemes may be employed to ensure secure transfer of databetween the communications device 110 and the router 120, the encryptionschemes being independent of further encryption schemes described below.

Router 120 may comprise any commercially available router, such as onemanufactured and distributed by Cisco Systems, Inc. of 170 West TasmanDr., San Jose, Calif. 95134, USA, enabled to accept data from at leastone communications device 110, and to accept input from encryption seedgenerator 140, including an encryption seed 145 generated by encryptionseed generator 140.

Details of router 120 in one embodiment of the present invention aredepicted in FIG. 1 c. Key generator 121 accepts encryption seed 145. Keygenerator uses encryption seed 145 to generate encryption key 122.Encryption key 122 passed to encryption device 123, which furtheraccepts data 124 from communications device 110. The encryption deviceuses encryption key 122 to encrypt the data 124, resulting in encrypteddata 126, which is then transmitted to communications network 130. Keygenerator 121 is further enabled to pass encryption key 122 to the inputof key generator 121, which then uses the encryption key 122 as a newseed to generate a new encryption key 122; this process typically occurson a periodic basis.

In a further embodiment of the present invention key generator 121 islocated in combination with encryption seed generator 140. Within thisembodiment router 120 is enabled to accept encryption key 122periodically and further enabled to pass encryption key 122 back toencryption key generator 121, to act as a new seed in the production ofa new encryption key 122. In yet further embodiments, encryption device123 may be located at computing device 110; within this embodimentrouter 120 is enabled to pass encryption key 122 to communication device110. Once the encryption key 122 is received by communications device110, encryption device 123 encrypts data 124 and passes the encrypteddata 126 back to router 120 for transmission to communications network130. Various other combinations may occur to those with skill in the artand are within the scope of the present invention.

Router 120 and encryption seed generator 140 are protected by a securebarrier 125 which limits physical access to router 120 and encryptionseed generator 140. Secure barrier 125 may be a locked room, a lockedbox and the like, containing Router 120 and encryption seed generator140, and which allows only authorized users access to the elementsinside secure barrier 125. In one embodiment secure barrier 125 is alsoprovided with a secure access system such as a key, or password enabledaccess, such as an electronic access system, or a combination of these.Other means of secure access may occur to those of skill in the art.Secure barrier 125 should also be constructed in a sufficiently ruggedmanner to deter a non-authorized user from breaking into it. As anon-limiting example, secure bather 125 may be constructed of highsecurity, thick steel walls, similar to those materials used inconstructing a vault, for example. The combination of a secure accesssystem coupled with rugged construction prevents non-authorized usersfrom gaining access to the router 120 and encryption seed generator 140,and prevents non-authorized users from obtaining sufficient informationto learn details of encryption seed 145.

In some embodiments of the present invention, the router 120 isincorporated directly into one of a plurality of communications devices110. In these embodiments, the plurality of communications devices 110a, 110 b, 110N are in communication with the communication devices 110incorporating the router 120 and through which all data from theremaining communications devices pass.

The encryption seed generator 140 may be a logical encryption seedgenerator, resident in router 120 or one of the communications devices110, or a hardware based encryption seed generator implemented within aseparate computing apparatus enabled to generate a plurality ofencryption seeds 145 and to communicate with router 120. Encryption seedgenerator 140 may be further equipped with an internal clock, andenabled to generate a new encryption seed periodically, for exampleevery 60 seconds. In a non-limiting example, encryption seed generator140 may be a commercially available encryption seed generator, such asRSA SecureID® USB Token manufactured and distributed by RSA Security of174 & 176 Middlesex Turnpike, Bedford, Mass. 01730.

In embodiments of the present invention encryption seed generator 140generates an encryption seed 145 to initialize the production ofencryption keys in an encryption key generator. The encryption seedgenerator 140 may use at least one encryption seed generation scheme.One such example of an encryption seed generation scheme is an RSAencryption seed generation scheme wherein a private numerical code isused to generate at least one encryption seed 145. In such an encryptionscheme, the encryption seed generator 140 is provided with apre-equipped random number, as well as method for generating a newencryption seed 145 periodically, for example every 60 seconds,according to the internal clock, or alternatively, synchronized with anexternal clock. In one encryption seed generation scheme, the time iscombined with the code and an algorithm to create the encryption seed145. In an alternative embodiment the counter number from an eventcounter may be combined with the code and an algorithm to create theencryption seed 145. Thus using the code, and least one other factorgenerated periodically, encryption seed generator 140 generates anencryption seed 145 according to a method described in U.S. Pat. No.4,405,829 by Rivest et al. Though the generation of encryption seed 145is described with reference to an RSA scheme, alternative encryptionschemes may be used including the ElGamal algorithm, DSA and ellipticcurve cryptography, or other encryption schemes well known to those ofskill in the art.

Communications network 130 may comprise any network which allows fortransmission of data from an originating communications device to adestination communications device. Specific non-limiting examplesinclude: the PSTN, including PBX and Centrex networks; and packetswitched networks such as the internet, or an intranet such as a LAN ora WAN. The communications network 130 could be based on a variety ofprotocols including, but not limited to internet protocol (IP) orasynchronous transfer mode (ATM) protocol. In some embodiments, portionsof communications network 130 may be enabled to transfer data using afirst protocol, whereas further portions can transfer data using anotheradditional protocol; in these embodiments the communications network 130will include an apparatus to translate transmitted data between eachprotocol.

As depicted in FIG. 1 a, communications network 130 is in furthercommunication with a destination device 150 which can accept datatransmitted from the communications network 130. The destination device150 may comprise a computing device equipped with a processor, a memoryand an input/output interface (I/O). In some embodiments the destinationdevice 150 may comprise a personal computers and the like, while infurther embodiments the destination device is a network servers and thelike. In a non-limiting example destination device 150 may be a serverwhich accepts financial data, such as financial transactions, from atleast one originating data device 110, such as an automated bankmachine. In this example, destination device 150 may accept thefinancial data from the automated bank machine and further process thefinancial data, or alternatively act as a gateway to a larger system forprocessing financial data and transaction. Other examples of destinationdevice 150 may occur to those of skill in the art.

Destination device 150 is coupled with a decryption seed generator 160,adapted to generate at least one decryption seed 165, complementary toat least one encryption seed 145. The decryption seed 165 allows adevice receiving data which has been encrypted using encryption keysgenerated from encryption seed 145 to be decrypted. In such a scheme,data is encrypted at an originating device, such as originatingcommunications device 110, or router 120, using the encryption seed 145,as a starting point for encryption key generation. The data istransmitted to the destination device 150 where the encrypted data maybe decrypted using decryption keys generated from decryption seed 165,in a manner known to those of skill in the art. Decryption seedgenerator 160 is further enabled to generate decryption key 165periodically in a manner similar to the method used encryption seedgenerator 140 to generate encryption seed 145. In some embodiments asecure barrier (not shown) similar to secure barrier 125 may be placedaround encryption seed generator 160 and destination device 150 toprevent un-authorized users from gaining physical access to the system.

Decryption seed generator 160 is further synchronized with encryptionseed generator 140 such that when encryption seed generator 140generates encryption seed 145, decryption seed generator 160 is enabledto generate a decryption seed 165 complementary to encryption seed 145.Decryption seed generator 160 is enabled to generate a new decryptionseed 165 periodically, for example every 60 seconds, in synchronizationwith encryption seed generator 140. Encryption seed generator 140 anddecryption seed generator 160 are synchronized with respect to time,each further equipped with an internal clock which have beensynchronized to each other.

In alternative embodiments, encryption key generator 140 and decryptionkey generator 160 may exchange synchronization data to allow for saidsynchronization. The exchange of synchronization data may occur viacommunication network 130, or alternatively could occur via a secondcommunications network (not pictured), such as a wireless network, abackhaul network, or a secure network. In yet another embodimentsynchronization data may be exchanged via a seed management entity whichmay be located at the router 120, encryption key generator 140, theoriginating communications device 110, the destination device 150, or ata separate network element in communication with communication network130.

Decryption seed generator 160 may generate a decryption seed 165 in amanner similar to the generation of encryption seed 145. Continuing withthe example of RSA encryption schemes, the decryption seed generator 160is provided with the same code as the encryption seed generator 140, anduses the same method for generating a new encryption seed periodically,for example every 60 seconds according to the synchronized internalclock. In one encryption seed generation scheme, the time is combinedwith the code and an encryption algorithm to create the decryption seed165 which is similar to encryption seed 145, the clock at the decryptionseed generator 160 being synchronized with the clock at the encryptionseed generator 140.

Decryption seed generator 160 may be a logical decryption seedgenerator, resident in destination device 150 or a hardware baseddecryption seed generator implemented within a separate computingapparatus enabled to generate a plurality of decryption seeds 165 and tocommunicate with destination device 150. Decryption seed generator 160may be further equipped with an internal clock, and enabled to generatea new encryption key periodically, for example every 60 seconds. In anon-limiting example, decryption seed generator 150 may be acommercially available seed generator, such as RSA SecureID® USB Tokenmanufactured and distributed by RSA Security of 174 & 176 MiddlesexTurnpike, Bedford, Mass. 01730.

In an alternative embodiment, destination device 150 may be incommunication with a plurality of originating communications devices,for example at different geographic locations, with each geographicgrouping of originating communications devices coupled to communicationnetwork 130 using a separate router 120 local to each location, or localto each originating communications device 110. In this embodiment eachrouter may be equipped with a separate encryption seed generator 140each of which may be assigned a different starting numerical code.Alternatively a single encryption seed generator 140 may be incommunication with the various routers; the encryption seed generator140 may be enabled to generate multiple encryption seeds from multiplestarting numeric codes and to further securely transmit the relevantencryption seed to the relevant router. The generation of the encryptionseeds may occur sequentially via a single encryption seed generatorlogic, or in parallel using a plurality of encryption seed generatorlogics. In this alternative the encryption seed generator 140 may befurther equipped with an encryption seed management logic to ensure thatthe various encryption seeds are sent to the relevant routers. Furtherthe secure transmission of the seeds may occur using a variety oftechniques known to those of skill in the art.

In these embodiments, decryption seed generator 160 is enabled togenerate a plurality of decryption seeds 165, using a plurality ofcodes, such that destination device 150 may receive and decrypt datafrom a plurality of originating data devices. In this embodiment thedecryption seed generator 160 may be enabled to generate multipledecryption seeds 165 from multiple starting numeric codes, thegeneration of decryption seeds 165 being synchronized with theencryption seeds 145 being generated at encryption seed generator 140,and further complementing the encryption seeds 145 being generated atencryption seed generator 140. The generation of the decryption seeds165 may occur sequentially via a single decryption seed generator logic,or in parallel using a plurality of decryption seed generator logics.The decryption seed generator 160 may be further equipped withdecryption seed management logic to ensure accurate communication of thevarious decryption seeds to the destination device 150. In yet anotheralternative embodiment the decryption seed generator may reside as alogical decryption seed generator on destination device 150.

Further in these embodiments destination device 150 may be enabled toaccept a plurality of decryption seeds 165 from decryption seedgenerator 160, and may be further enabled to generate a plurality ofdecryption keys from the decryption seeds 165 to decrypt encrypted dataarriving from the various routers. The decryption keys may be generatedsequentially by a single decryption key generator or in parallel by aplurality of decryption key generators. Destination device 150 may befurther equipped with a decryption key management logic to ensure thatthe decryption keys are being generated to synchronize with theencryption keys generated at the various routers 120, and to furtherensure that the correct decryption key is being used to decrypt dataarriving from a particular router. The decryption key management logicmay be further enabled to manage the decryption seeds being input intothe decryption key generator or generators

As depicted in FIG. 1 b, in some embodiments system 100 may include anauthentication server 170 in communication with communication network130. Authentication server 170 is enabled to authenticate and authorizea user for access to communication network 130. Authentication servermay be further enabled to authenticate and authorize a user for accessto destination communications device 150. In embodiments which includean authentication server 170, decryption seed generator 160 mayalternately be in communication with authentication server 170,authentication server 170 being further enabled to deliver a decryptionseed 165 to destination device 150 as a starting point for decryptionkey generation by a decryption key generator. Authentication Server 170may comprise a commercially available AAA server such as a RADIUS servermanufactured and distributed by Bridgewater Systems of 303 Terry FoxDrive, Suite 100 Ottawa, Ontario Canada K2K 3J1. In some embodiments asecure barrier (not shown) similar to secure barrier 125 may be placedaround decryption seed generator 160 and authentication server 170 toprevent un-authorize users from gaining physical access to the system.

A method 200 for encrypting data on a network, according to anembodiment of the present invention, will now be described withreference to FIG. 2. In order to assist in the explanation of themethod, it will be assumed that method 200 is operated using system 100of FIG. 1 a. Furthermore, the following discussion of method 200 willlead to further understanding of system 100 and its various components.It should be understood that the steps in method 200 need not beperformed in the sequence shown. Further, it is to be understood thatsystem 100 and/or method 200 can be varied, and need not work asdiscussed herein in conjunction with each other, and that suchvariations are within the scope of the present invention.

By way of illustration only, method 200 will be described, whenappropriate, using the non-limiting example of the method beingexecutable within router 120. It should be understood, however, thatmethod 200 may be equally executable within at least one of originatingcommunications devices 110 a, 110 b, 110N. At step 202 a datatransmission session is initiated between the router 120 and thedestination device 150. Such session initiation is well known to one ofskill in the art and may involve a series of handshaking steps toestablish communications.

At step 203 a one time password is received. The one time password is afixed numerical code or password which is known to both router 120 anddestination device 150. The exchange of the one time password isimplemented prior to the session initiation. The one time password maybe specific to router 120, or specific to each of originating computingdevices 110 a, 110 b, . . . 110 _(N). Alternatively, each originatingcomputing device may share the same one time password. The one timepassword may be already resident on router 120 and stored in memory, ormay be received from at least one originating computing device 110. Infurther embodiments the one time password may be omitted.

At step 204 an encryption seed 145 is received from encryption seedgenerator 140. The encryption seed 145 enables an encryption keygenerator to initialize the production of encryption keys. In someembodiments, at step 206, a check is made to ensure that the encryptionseed received at step 204 is synchronized with the decryption seed 165generated by decryption seed generator 160, intended to initializeproduction of decryption keys, the decryption seed 165 received atdestination device 150. This may comprise sending an encrypted testmessage to destination device 150, via communication network 130, themessage encrypted by an encryption key generated from the encryptionseed 145, and receiving confirmation of successful decryption of saidtest message, also via communication network 130, the decryptionoccurring using a decryption key generated from the complementarydecryption seed 165. Alternatively the encrypted test message andconfirmation message may be transmitted on a second communicationnetwork (not depicted) if router 120 and destination device 150 are alsocoupled to the second communication network. If confirmation ofsuccessful decryption is not received, then resynchronization may needto occur, and a message may be sent to the administrator of the router120. Alternatively this step may be performed elsewhere in the methodusing data received from the originating communications device 110 asthe test message. In yet another embodiment, this step may be omitted,with the various components assuming a synchronization scheme already tobe in place. As a non-limiting example pre-synchronized internal clockswithin the encryption seed generator 140 and the decryption seedgenerator 160 could be utilized.

At step 220 the encryption seed 145 and the one time password receivedat step 203 are combined into a combined encryption seed, which is usedto generate an encryption key to encrypt data received from originatingcommunications device 110, prior to transmission to destinationcommunications device 150. It is understood that encryption key 204 willbe used in conjunction with an encryption scheme resident on router 120.In embodiments where a one time password is not used, this step may beomitted. In some embodiments the one time password may be used only toauthenticate communications device 150, or a user of system 100, torouter 120. In these embodiments, step 220 may also be omitted.

At step 222 an encryption key is generated using the combined seed,generated at step 220. Alternatively the encryption key may be generatedusing only the encryption seed 145 generated at step 204 and the onetime password is used for initial authentication purposes only. Theencryption key is generated using a suitable algorithm; it is understoodthat such algorithms typically incorporate functions in which it isdifficult to calculate the encryption seed input to the function giventhe encryption key output. Non-limiting examples of such algorithmsinclude the RSA algorithm, the ElGamal algorithm, DSA and elliptic curvecryptography. However other algorithms for generating encryption keyswill occur to those of skill in the art.

At step 208, data to be transmitted to destination device 150 isreceived from originating communications device 110. At step 210 thedata is encrypted using the encryption key generated by key generator140. The encryption is performed using, for example, an RSA encryptionscheme; however other encryption schemes may be used. At step 212 theencrypted data is transmitted to destination device 150 viacommunication network 130.

After transmission of the encrypted data, router 120 may determine ifthe session is to continue. In one embodiment router 120 may querycommunications device 110 to determine if more data is to betransmitted. If no more data is to be transmitted then the session isterminated at step 216.

However, if more data is to be transmitted then, at step 224, adetermination is made as to whether or not a new encryption key is to begenerated. In one embodiment a new encryption key is generatedperiodically, for example every 60 seconds. This embodiment may includea synchronization step, to ensure that the new encryption key issynchronized with a new decryption key at the destination device 150.The synchronization may occur via a pre-synchronized process on both therouter 120 and the destination device 150, in which encryption key andcomplementary decryption keys are generated periodically, for exampleevery 60 seconds. Alternatively a synchronization message may beexchanged between router 120 and destination device 150 either viacommunication network 130 or a second communication network (not shown).In yet another alternative destination device 150 may store the currentdecryption key as well as a number of previous keys, and may evengenerate and store a number of expected future decryption keys; ifencrypted data received cannot be decrypted by the expected currentdecryption key, the destination device may test the success ofdecrypting the encrypted data using a number of previous and future keysto determine if resynchronization needs to occur. The resynchronizationcan be automatic, with the decryption key that successfully decrypts theencrypted data becoming the current decryption key, or a handshakingstep may occur between destination device 150 and router 120 in order toresynchronize the production of the encryption and decryption keys, andto re-authenticate the communication between the two devices. If nodecryption key located at destination device 150 is successful atdecrypting the data, either a resynchronization step may occur or,alternatively, a message may be sent to an administrator informing theadministrator of the problem; indeed this may signal a breach insecurity or may indicate the need to repair equipment.

However, in further embodiments, criteria other than periodic productionmay be used to determine whether a new encryption key should begenerated; for example a new encryption key may be generated once acertain amount of data has been encrypted with the current key. Notethat in this embodiment the new encryption key may be furthersynchronized with the decryption key generated at the destination device150. This may be triggered by the decryption of a certain amount of datausing the current decryption key, the amount of data which triggers thenew decryption key generation being similar to the amount of data whichtriggers the new encryption key generation. Alternatively a trigger maybe sent to destination device 150 from router 120 signalling the need togenerate a new decryption key. In yet another alternative, a signal maybe sent to a synchronization management entity which may then triggerthe generation of a new decryption key at destination device 150, bysending a signal to destination device 150. In yet another embodiment asynchronization management entity can trigger the production ofsynchronized encryption and decryption keys at both router 120 anddestination device 150 by sending a trigger signal to both router 120and destination device 150 when a new pair of keys is to be generated.

In yet another embodiment a new encryption key may be generated upon theinitiation of any new transmission of data originating fromcommunication device 110. This may apply, for example, whencommunication device is a customer service terminal or an automatedbanking machine; when a new customer uses the communication device andinitiates a new data transmission session, a new encryption key may begenerated. The synchronization of the new encryption key with thegeneration of a complementary decryption key at destination device 150may be coordinated by signalling the destination device 150 that a newdecryption key is to be generated, either through communication network130, through a second network, via a synchronization management entity,similar to that described above, or though including information aboutthe data transmission in the unencrypted header of the datatransmission. Alternatively, destination device 150 may store a numberof past decryption keys, the expected current decryption key and anumber of expected future decryption keys. Destination device 150 mayattempt to decrypt the encrypted data with a number of the storeddecryption keys, including the expected current decryption key and thenext expected decryption key.

If a new encryption key is to be generated, it must be decided at step218 if the new encryption key is to be generated using the originalencryption seed 145, or if the new encryption key should be generatedusing a new encryption seed 145, to be received from encryption seedgenerator 140. If the new encryption key is generated without receivinga new encryption seed 145, the router returns to step 222, and a newencryption key is generated using the current encryption key as theinput to the encryption key generation algorithm; in other words thecurrent encryption key acts as a seed to generate the new encryptionkey. Alternatively the current encryption key may be combined with theone time password to create a new combined encryption seed to act as aseed to generate the new encryption key.

However, if a new encryption seed 145 is to be received from encryptionseed generator 140, the router returns to step 204 to receive the newencryption seed 145. In one embodiment, a new encryption seed 145 isgenerated periodically, for example every 60 seconds; in this embodimentthe router, at step 218, will expect to receive a new encryption seed145 if the defined period has passed and the current encryption seed 145is expired or is about to expire. Within this embodiment asynchronization step may occur to ensure that the complementarydecryption seed 165 is received at destination device 150. Thesynchronization step may be similar to the synchronization stepspreviously described in relation to the synchronization of theencryption and decryption keys. Similarly, other criteria may be used todetermine if a new encryption seed is to be received, such as thetransmission of a certain amount of data, a trigger from an internalclock or external synchronization entity, or the start of a new datatransmission. Synchronization steps for these embodiments are similar tothose described above for similar approaches to encryptionkey/decryption key generation and synchronization.

In embodiments of the present invention, encryption seeds are used toinitialize encryption key generation for transmission of data through anetwork, and the encryption seed used to initialize encryption keygeneration is changed in a manner that deters malicious andnon-authorized users from gaining access to the data. Indeed regularlyupdating the encryption seed acts as a deterrent to malicious users as,within embodiments of the present invention, the life of an encryptionseed is less than the time required to derive or calculate theencryption seed 145, or one of the encryption keys, using electronicmethods, using the encrypted data or other information, as a startingpoint.

Though depicted as following step 224 in FIG. 2, step 218 may occur atany point in method 200, following either step 204, 206, 208, 210, 212,214, 220, or 222. Indeed triggering of a receipt of a new encryptionseed may occur somewhat independently of the order of the steps ofmethod 200, for example occurring at pre-set time intervals, such asevery 60 seconds, or alternatively after a pre-set quantity of data hasbeen transmitted, or after each transaction on computing device 110, ora combination of these. Other triggers for receiving a new encryptionseed may occur to those of skill in the art.

Further, step 218 may be triggered by a component of system 100 externalto the apparatus on which method 200 is being executed, for example anexternal synchronization entity. Such an entity would be substantiallysimilar to the entity described above with reference to thesynchronization of encryption keys, and capable of transmitting atrigger to generate a new encryption key to the router 120 and furthercapable of transmitting a trigger to generate a new decryption key tothe destination device 150. In one embodiment a trigger is sent to bothapparatus; in other embodiments a single trigger is sent to a singleapparatus, which then further sends a trigger to the second apparatus.

Continuing with the non-limiting example, if method 200 is beingexecuted on router 120, step 218 may be triggered at any point withinmethod 200, including during the execution of steps 204, 206, 208, 210,212, 214, 220, 222, or 224 when encryption seed generator 140 generatesa new encryption seed 145 and sends said encryption seed 145 to router120.

As a non-limiting example, FIG. 3 depicts method 300 for encrypting dataon a network, according to an alternative embodiment of the presentinvention. Method 300 is substantially similar to Method 200 depicted inFIG. 2, however the determination if a new encryption seed 145 is to bereceived from seed generator 140 occurs following the receipt of data,as described in step 208 of Method 200. It should be understood thatstep 302 of Method 300 corresponds to step 202 of method 200, step 304corresponds to step 204 and so on.

Within method 300, following encryption key generation step 322, adetermination is made if data has already been received at step 326.This is the only additional step that occurs within method 300 that doesnot correspondingly occur in method 200. If data has not been received,then router 120 receives the data at step 308. If data has beenreceived, a determination if a new seed is to be received occurs at step318. Similarly, step 318 is executed after receiving data in step 308.The determination of whether or not a new seed is to be received mayoccur at this point in method 300, either as an integral part of method300 or, in an alternative embodiment, the insertion of step 318 at thispoint in method 300 may occur due to an external trigger, such asencryption seed generator 140 transmitting the encryption seed 145 atpre-determined time intervals. If a new encryption seed 145 is to bereceived, then router 120 returns to step 304 to receive a newencryption seed 145. If a new encryption key 145 is not to be received,the received data is encrypted at step 310, and the encrypted data istransmitted at step 312. At step 314, a determination is made as towhether there is more data to transmit. If so, a determination is madeas to whether a new encryption key is to be generated at step 324; ifnot the session terminates at step 316.

Alternatively, if there is no immediate need to transmit data, thesession may not end and router 120 will wait until new data is to bereceived. In a non-limiting example, this may occur if originating datadevice 110 is a customer service terminal, where data transmissionoccurs intermittently, and where a business administering the customerservice terminal wishes to reduce latency for a customer using theterminal. In this embodiment, the administrator may wish to initiate asingle session which lasts, for example, during the operating hours ofthe business. In this embodiment the session would not terminate unlesssuch termination is initiated by the administrator.

Returning to FIG. 2, the insertion of the step to determine if a newencryption seed 145 is to be received may similarly occur following theencryption step, depicted as step 210 in method 200. It is understoodthat additional steps may then be required to determine if encrypteddata is to be re-encrypted with a new encryption key generated from thenew encryption seed 145 prior to transmission, or if the new encryptionseed 145 is to be used only with additional data received. Furthersynchronization steps may also occur. Similarly the insertion of thestep to determine if a new encryption seed 145 is to be received maysimilarly occur following the transmission step, depicted as step 212 inmethod 200. It is understood that additional steps may be required todetermine if data is to be retransmitted using a new encryption keygenerated from the new encryption seed 145 prior, or if the newencryption seed 145 is to be used only with additional data received.

In embodiments where the determination of whether a new encryption seed145 is to be received is triggered by an entity external to theapparatus on which method 200 is occurring, this determination may occurduring one of steps 204, 206, 208, 210, 212, 214, 220, 222, or 224. As anon limiting example, encryption seed generator 140 may attempt to senda new encryption seed 145 to router 120, while one of steps 204, 206,208, 210, 212, 220, 222 or 224 is occurring. In some embodiments thestep may be allowed to complete; in other embodiments the step may beinterrupted to receive the new encryption seed 145. In the latterembodiment, should the step be interrupted during the encryption step210, or the transmission step 212, additional steps may occur todetermine if the data is to be re-encrypted and/or re-transmitted usinga new encryption key generated from the new encryption seed 145. If theexternal entity triggers the receipt of the new encryption seed 145during the receiving data step 208, method 200 may be modified to allowthe receiving data step 208 and the receive new encryption seed step 204to be performed in parallel. Alternatively, one step may be completedbefore the other step occurs. Alternatives may occur to those of skillin the art and are within the scope of the present invention.

In further embodiments the determination to generate a new encryptionkey step 224, may occur at any point method 200, similar to thedetermination to generate a new encryption seed step 218. Indeed step224 may follow, or occur during, steps 204, 206, 208, 210, 212, 214,218, or 220, and embodiments where either of these alternatives occurare substantially similar to those described with reference to step 218.

FIG. 4 depicts system 400, an alternative embodiment for encrypting dataon a network. System 400 is substantially similar to System 100 depictedin FIG. 1, with similar network elements having similar numbers; in FIG.4 router 120 from System 100 is labelled router A 120 for clarity. Theprimary difference between system 100 and system 400 is the addition ofrouter B 420, which couples destination device 150 and decryption seedgenerator 160 to communication network 130. In this embodimentauthentication of originating data device 110, and subsequent decryptionof data may occur at router B 420. Alternatively router B 420 may act asa gateway to an authentication server 170, similar to authenticationserver 170 depicted in FIG. 1 b. In yet a further embodimentauthentication and decryption may occur at destination device 150 withrouter 420 acting only as a gateway to destination device 150. Infurther embodiments authentication server 170, destination device 150and router B 420 may each authenticate and/or decrypt in a variety ofcombinations, each being within the scope of the present invention, witha network connection being secured between router A 120 and router B420.

In an alternative embodiment decryption seed generator 160 may beincorporated into router B 420, destination device 150, orauthentication server 170. In yet further embodiments router B 420 maybe incorporated into authentication server 420 or destination device150.

Details of router B 420, depicted in FIG. 5, are substantially similarto Router A 120 depicted in FIG. 1 c. However, Router B 420 contains adecryption key generator 521 to produce a decryption key 522, as well asa decryption device 523 that accepts encrypted data 126 and producesdecrypted data 124. The production of decryption keys 522 by decryptionkey generator 521 is substantially similar to the production ofencryption keys 122 by encryption key generator 121.

Router B 420 may also act as a gateway to a secure communication network(not depicted), which is considered a secure communication network byboth the users of originating communication device 110 and the users ofdestination device 150. Within this embodiment data is received atrouter B 420, decrypted and forwarded on to destination device 150,which is an element of the secure communication network. Indeed Router B420 may decrypt data for a plurality of destination devices 150connected to secure communications network 150. In this manner, a singlepair of routers, router A 120 and router B 420, may act to securelyencrypt and decrypt data transmissions between a plurality oforiginating communications devices 110 and a plurality of destinationdevices 150.

Persons skilled in the art will appreciate that there are yet morealternative implementations and modifications possible for implementingthe present invention, and that the above implementations and examplesare only illustrations of one or more embodiments of the presentinvention. The scope of the invention, therefore, is only to be limitedby the claims appended hereto.

1-12. (canceled)
 13. A method for encrypting data, comprising:encrypting data using an original encryption key generated at leastpartly from an original encryption seed; providing additional data forencryption; acquiring a new encryption seed; determining whether a newencryption key is to be generated; determining whether the originalencryption seed has expired; responsive to determining that a newencryption key is to be generated and that the original encryption keyhas expired: generating a new encryption key at least partly from thenew encryption seed and encrypting additional data using the newencryption key; responsive to determining that a new encryption key isto be generated and that the original encryption key has not expired:generating a new encryption key at least partly from the originalencryption seed and encrypting additional data using the new encryptionkey; and responsive to determining that a new encryption key is not tobe generated: encrypting the additional data using the originalencryption key.
 14. The method defined in claim 13, wherein saiddetermining whether the first encryption seed has expired is carried outin response to determining that a new encryption key is to be generated.15. The method defined in claim 13, wherein said acquiring a secondencryption seed is carried out after said determining whether a newencryption key is to be generated.
 16. The method defined in claim 13,wherein said acquiring a second encryption seed is carried out aftersaid determining whether a new encryption key is to be generated. 17.The method defined in claim 13, wherein a new encryption key is to begenerated after a predetermined amount of time has elapsed sincegeneration of the original encryption key.
 18. The method defined inclaim 13, wherein a new encryption key is to be generated upon havingencrypted a predetermined amount of data.
 19. The method defined inclaim 13, wherein a new encryption key is to be generated upon receiptof a trigger from a synchronization management entity.
 20. The methoddefined in claim 13, wherein a new encryption key is to be generatedupon said providing the additional data.
 21. The method defined in claim13, wherein the original encryption seed is determined to have expiredupon said acquiring the new encryption seed.
 22. The method defined inclaim 13, wherein the original encryption seed is determined to haveexpired after a predetermined amount of time has elapsed.
 23. The methoddefined in claim 13, wherein the original encryption seed is determinedto have expired upon having encrypted a predetermined amount of data.24. The method defined in claim 13, wherein the original encryption seedis determined to have expired upon said providing the additional data.25. The method defined in claim 13, wherein acquiring the new encryptionseed comprises receiving the new encryption seed from a seed generator.26. A system for encrypting data, comprising: a seed generator forgenerating an original encryption seed and a new encryption seed; acomputing apparatus configured for: encrypting data using an originalencryption key generated at least partly from the original encryptionseed; providing additional data for encryption; acquiring the newencryption seed from the seed generator; determining whether a newencryption key is to be generated; determining whether the originalencryption seed has expired; responsive to determining that a newencryption key is to be generated and that the original encryption keyhas expired: generating a new encryption key at least partly from thenew encryption seed and encrypting additional data using the newencryption key; responsive to determining that a new encryption key isto be generated and that the original encryption key has not expired:generating a new encryption key at least partly from the originalencryption seed and encrypting additional data using the new encryptionkey; and responsive to determining that a new encryption key is not tobe generated: encrypting the additional data using the originalencryption key.
 27. A method for decrypting data, comprising: decryptingdata using an original decryption key generated at least partly from anoriginal decryption seed; providing additional data for decryption;acquiring a new decryption seed; determining whether a new decryptionkey is to be generated; determining whether the original decryption seedhas expired; responsive to determining that a new decryption key is tobe generated and that the original decryption key has expired:generating a new decryption key at least partly from the new decryptionseed and decrypting additional data using the new decryption key;responsive to determining that a new decryption key is to be generatedand that the original decryption key has not expired: generating a newdecryption key at least partly from the original decryption seed anddecrypting additional data using the new decryption key; and responsiveto determining that a new decryption key is not to be generated:decrypting the additional data using the original decryption key.